Log in

No account? Create an account
Today I've received three calls to action from various organizations demanding that I contact the FCC to ask them to stop Comcast from negotiating with Level Three for more money because of increased bandwidth use. As far as I can tell, this is a routine negotiation between two corporations. It's possible that it's something more, but I've seen no information supporting that position. Certainly not in any of these calls to arms.

So I'm being asked to take action on the basis of what amounts to crap. I get exhortations like this in my inbox every day. I usually know nothing about the details of what is being protested. But in this case I do, and what I know leads me to question the validity of every other exhortation I've read.

I think in every case the goal of the action is well-intententioned, and in many cases it's even a good idea. For example, I think that the FCC should go back to treating internet data services as telecommunication services, and should regulate them accordingly.

However, this kind of panicked, ill-informed rhetoric does nothing to increase the effectiveness of government. What it does is to make me tired. I'm at the point where I pretty much delete any political email or requests for money that arrive. I'm being harangued on a daily basis by political creditors who got money from me once, and are sure that even though I didn't send them money last time they asked, it was a tragic oversight that will surely be corrected by them helpfully asking me for money again.

I don't mind contributing money to people who are doing good work, but the only basis I have for telling whether they are doing good work is the email that they send me. So if the mail they are sending me is crap, what am I supposed to think?

So that's the deal. If you can't be bothered to explain why you want me to do what you want me to do using statements that are actually true, and aren't exaggerations, and aren't phrased in the form of a panic attack, then you are not someone I want to hear from.


Some brief points about porno scanners...

Based on this article from the department of Biochem and Biophysics at UCSF:
  • The entire X-ray dose is delivered to your skin, so while that dose would be small if it were a full-body scan, it is not small when it's just your skin.
  • The scan is a brief high-energy burst, controlled by a combination of software and hardware. What happens when the software has a bug, or the hardware fails, and the scanner stays on too long? In hospitals, when similar failures occur, people die.
  • You can't die from being patted down, or from being wanded, or from going through a metal detector, or even from being strip-searched.
People complain a lot about the invasiveness of pat-downs and searches. A lot of people have been going for their fifteen minutes by posting videos or long descriptions about the horrors of patdowns by the TSA. This is wrong-headed.

If you think that this level of security is not necessary, then the place to argue about it is at the policy level, not at the security checkpoint. Write letters to the editor. Call your senator. Explain why you think it's not necessary or not useful to try to detect underwear bombs. There are cogent arguments to be made on this point—I'm not being facetious.

But please, make real arguments. Don't tell us how you were victimized. We care, really we do, but shit happens. Deal with it. There is no security apparatus that is not going to piss someone off at some point. What you want in a security apparatus is for it to work. A security apparatus that has exceptions like "don't touch my junk" can't work.

If we make security policy on the basis of our victimization, it's kind of like choosing the tires on our car not for the traction they provide in varying conditions, but for how they look.
My friend Ed Santiago, who is a big Linux proponent, asked the following very good question on my blog a while back, and I didn't notice that his message got held for confirmation, and never got around to answering it:

So it's OK for Steve Jobs to decide what you can and cannot run on your computer equipment?

No. But the fact that he's excluded this particular piece of software is not an additional reason to dislike the iPad. The closed development environment is problematic--it's definitely a problem that the App store will reject Apps for reasons other than "this isn't secure." On the other hand, a laissez-faire environment that does nothing to protect end-users from security-stupid applications is also bad. We know what that environment looks like--it's Windows. Land of the worm, land of the virus.

Linux is a happier place, because it doesn't have to leave security holes open for backwards compatibility, and because it's less of a target for virus writers, but in principle it's got the exact same problem, as does Mac OS X: the operating system's security policy is default-allow. By default, it's okay for an app to do anything it wants.

Apple's solution on the iPad is draconian. I prefer Bitfrost. But fundamentally, Apple is engaging in an important experiment. By moving to a default-deny security model, where the app can only do those things that are enumerated, they are trying something new and important.

The idea that you can depend on end users to make safe security decisions is simply wrong-headed. It's like depending on end-users to choose which size needle to use in their carburetor. Sure, there are users who can do that, but they are by far the minority.

And unlike a carburetor needle, the worst that happens if you get it wrong is not just that your engine runs poorly, or wears out and dies prematurely. It's that your identity is stolen, your bank accounts emptied, your assets potentially transferred to new owners, your secrets revealed, your relationships destroyed, and so on.

We need to stop using the default-allow security model. Apple is taking a useful step in this direction. The OLPC project, with their Sugar environment, also took a useful step in this direction. It will be interesting to see the outcome of this experiment. I consider this much more interesting than the iPad's form factor, even though I've been waiting for a competent computer in that form factor for over a decade.
Some guy from Apple leaves his phone in a bar. An hour later, he goes back for it, but the phone is gone, because the guy who found it left with it instead of leaving it in the bar's lost and found. Imagine what this guy is thinking. He's thinking he's lost his job. He's thinking about what this is going to look like on his resume, and how he's going to make his mortgage payments next month. Imagine what his stomach feels like. Imagine the impotent tears of regret at his own stupid mistake that he's trying to hold back. Imagine how much he wishes the person who found the phone had done the right thing.

In what universe, on what planet, is it okay to be the cause of someone going through this?

Come on!

I'm sorry, but I would not consider it an overreaction at all if the person who walked out of the bar with the phone were charged with grand theft, and the "reporter" for Gizmodo with knowingly receiving stolen goods. It sounds like a joke, and it sounds like Apple is maybe overreacting a little, until you consider what it would be like if it were your phone that were treated this way, and your job that were on the line.

I love Jon Stewart, and he's a comedian, so he's allowed to be ridiculous, but I've gotta say, I do not agree with him at all on the whole Apphole thing.


...of the person at Google who has to process this bug report:

Hi Ted,

Thanks for taking the time to report a problem with Google Maps. We'll send you an update once your report has been reviewed to let you know the resolution.

We have created ID: D17C-5F06-6727-BD73 to track this problem.

Report history Problem ID: D17C-5F06-6727-BD73

Your report:

This route takes you through a private marina and onto a single-track dirt path which leads through a homeless encampment under the freeway. The track under the bridge is unlit and muddy, and not something that a beginner should attempt. Clearance is under 6'.

You can ride your bicycle through there, and the number of tracks there indicates that people do, but I think it's a really bad idea for Google to be sending people on this route. It's not obvious that you're about to be in a homeless encampment until you're in it, because it's so dark under the bridge that you can't see anything until you're under it.

It would be a great location for a text adventure game, but it's not a good place to send unsuspecting bicycle commuters. I'm not upset about it, mind you, but someone else might be.

Thanks for your help,
The Google Maps team
It turns out that a lot of malware is being served by supposedly legitimate advertising providers, including yahoo. So this is yet another reason to surf with Flash disabled.

Also, if you thought PDF was safe, think again. Apparently you can embed Flash in PDFs, and this represents a significant vulnerability. I don't know what the implications are for Mac users: does Preview support embedded Flash in PDF docs? Bottom line: if you weren't expecting your pal to send you a PDF doc, probably better to double check that it was they who sent it before you try to open it.

Of course, all of this is completely ridiculous—the reason a Flash vulnerability is so easy to exploit is that no operating system available today restricts applications to accessing only those objects they actually need to do their work. And of course because Flash itself tries to be a complete operating environment, any operating system that tried would either have to let Flash do everything, or disable Flash.

Which is in fact the reason Steve Jobs gives for not allowing Flash on the iPhone and iPad.


Why Steve Jobs is a Hero

There's been a lot of buzz on the web about Steve Jobs and his decision not to allow Adobe's Flash product on the iPad. When I read about it, mostly I don't see any real analysis of why Flash is a bad idea, so I thought I'd write up my thoughts about it.

Here are my reasons for wanting to see HTML5 win over Flash:

  • Flash is proprietary, meaning that:
    • Adobe has to want to support your platform in order for you to get support
    • Adobe will fix bugs for your platform when they get around to it, which will be later, unless your platform is Windows 7.
  • It's not searchable, meaning that if your content is in Flash, it doesn't show up on Google
  • I need special software from Adobe to create Flash media, and that software doesn't run on Mac OS X
  • It's a privacy boondoggle.

Some people say that the privacy issue doesn't matter, because we're hosed anyway—we don't really have any privacy, and so who cares if the people advertising on the web know everything about our surfing habits. This might be true if the people tracking our surfing habits were all Madison Avenue types. But they aren't.

Have you looked at web ads recently? Most of them are for scams. So your private browsing information, if exposed, is going to wind up being sent to scammers, not just to Madison Avenue. Still comfortable? The information you're sending could wind up helping someone to get into your bank account, or get enough information about you to steal your identity. So opening up a big secondary attack surface in your web browser so that you can watch Hulu may not be the wisest choice.

As for the other issues, the lack of platform support means that for instance if I want to come out with a cool new tablet PC, it either has to run Windows, or else Adobe has to really love it and want to support it. This stifles innovation. HTML 5 is an open standard—anyone can implement it, and there are free, open source implementations available today.

The lack of searchability for Flash media is a real issue—a lot of web designers use Flash to make web sites look pretty, and then the web sites can't be indexed. The people paying the bills see the pretty web site and get all googly-eyed, without realizing that their web designer has rendered their site completely invisible to web searches. Form over function, right?

The special software issue is a big deal for me because I do webcasts. I either have to run Windows, so that I can use Adobe's proprietary high-quality encoding software, or I have to live with about half the encoding resolution, as provided by their proprietary Java encoding software.

So yeah, it's a big deal that Flash is what everyone uses. It's a really big problem—it means that people with lots money have a huge advantage over people without lots of money.

So as far as I'm concerned, Steve Jobs is a big hero for resisting Adobe's Flash platform. For me, the lack of Flash on the iPad is a reason why I'm rooting for it, not a reason not to buy it.


Suppose the brain is a quantum interference device.
Suppose it exists in limitless causal domains.
Suppose consciousness is the product of the interference between causal domains.
  • Tsams (partially-isolated causal domains) work.
  • Consistent timing of practices works, for all practices.
  • Compassion works.
  • Consciousness can't be said to be connected to the physical form--you could even say that it's contagious.
  • Parenthood works.
  • Spending time in close proximity to a disturbed mind will disturb your mind, or if your mind is particularly clear, possibly help the person's mind to be less disturbed.
  • Spending time in close proximity to a clear mind will clear your mind, particularly if you try to clear your mind, because many you's will try also.
  • Spending time in a zendo is a good idea.
  • Practices of intervals, like the tomato method, work.
  • Habits that smear don't work.
  • Multitasking is much more harmful than it would appear to be.
  • Dying makes you stupid.

Notes on building Linux kernel...

Just some notes on building Linux kernels so that I don't forget:

Read moreCollapse )


I'm famous (or "why I hate C")!

For those of you who don't know, I'm the author of the ISC DHCP distribution (not the DHCPv6 code, but the rest). It's written in C. I've had a pretty good record in the past - no buffer overflows detected. The last thing I got dinged for was a case where I'd used a non-constant string as a format string to printf, but this was safe because it was my application that constructed the string. We fixed it anyway, and I think there was a (completely unnecessary) CERT advisory. Not that I am bitter. Unfortunately it turns out that there is one obscure buffer overflow in the code, which has been there for a really long time without being detected. See if you can spot it:
                        struct iaddr netmask, subnet, broadcast;

                        memcpy (netmask.iabuf, data.data, data.len);
                        netmask.len = data.len;
                        data_string_forget (&data, MDL);
Hint: data contains data supplied by a device on the network, which has not been validated.

This is why I would really like to see the C programming language abolished. No matter how careful you are (and I have to confess that I'm not all that careful - I get by more on good programming style than anal-retentive code reviews), you will eventually get screwed by a stack overflow bug.

Also, why accept responsibility for your own fuckup when you can blame someone famous, like Dennis Ritchie? :')

Anyway, if you're running Linux or BSD and use the DHCP client, upgrade. Now. I don't think there's an exploit in the wild, but there will be.

Latest Month

May 2012


RSS Atom
Powered by LiveJournal.com
Designed by chasethestars